Friday, May 19, 2017

Thoughts on the wannacry virus and the importance of starting assumptions

This was written just as a piece to see what happens to the potential outcome of a piece of analysis when basic assumptions change.  I’m not admitting whether I think any of the below is accurate (except for the facts I have taken from others’ primary forensic analysis).
More than enough has been written about the wannacry ransom attack, especially from a technical view point, and the post-attack analysis has made interesting reading in terms of ‘how’ this attack took place.  The quality of the forensic analysis has been pretty impressive – although some elements around attack vector still seem contested (or at least confusing to me.)
The reading on ‘who’ fashioned this attack has been less interesting in that it seems to have come to the conclusion it was North Korea on the basis of re-used code blocks and not much else from what I have read. 
The area that seems to have had even less analysis seems to be ‘why’.  It’s ransomware. it’s to make money.  I can almost see some of the people I know rolling their eyes in quiet desperation. Bear with me.  Why can sometimes help with the ‘who’ on the basis of ‘cui bono’ if nothing else.
What has struck me however is the fact that much of the discussion seems to have been based on the unquestioned assumption that this was about money. But something doesn’t seem to quite add up.
In the case of wannacry the problem is that if ransomware is to make money it’s just not very good ransomware – despite using what I understand to be an innovative and highly effective propagation mechanism (although more on that later).
So why isn’t it very good ransomware?  Well, firstly, the estimates I have seen suggest they have not made very much money out of it.  If that is the most effective measure of ransomware success, then wannacry would seem to fail.
Secondly, the inclusion of what seems to be a poorly thought out kill switch, which seems to have been the main reason why the spread was contained.  There are suggestions that this was a badly designed sandbox detection mechanism[1] and not a kill switch at all, but nevertheless, it has allowed the malware spread to stop.  This does raise the question of why a variant appeared that included a different domain name acting in the same way as the first. If it was clear that this technique was preventing success, then sending out a variant with the same technique embedded within it makes little sense. What I haven’t seen is whether there is any indication that any new variant is from the same criminals or whether it is someone taking a chance on getting a few dollars for not much work.
Third, the payment mechanism wasn’t particularly good with a limited number of hard coded bitcoin wallets (some reports say four and some say three) that would mean that any correlation between someone who paid and decryption would need to be done manually.   There seem to be two main public explanations for this; technical ineptitude or no intention ever to provide the promised decryption. The whole business model of kidnap and ransom (physical or virtual) would seem to be based on the belief that payment of the ransom will be honoured by the criminal.  Certainly in a repeatable virtual crime this would be fundamental to determining financial success.  This ransomware attack does not appear to have been designed to achieve financial success – at least not through ransom.
Of course, if we assume a financial motivation (and let’s at least be aware that it is an assumption) there are other ways to make money out of this sort of event.  Cyber-security company stocks, predictably, shot up in the immediate aftermath[2] (but have since fallen back quite a lot) and a plan that involved profiting from this would make some sense. I can only assume that somebody in law enforcement is already looking for unusual trades prior to the attack.  (I am not going to go down the route of suggesting that it was the cyber-security firms themselves who were responsible – most of them already seem to have a licence to print money – but any proper analysis should consider this possibility.)
However, we really should consider the hypothesis that this attack was not about making money in the first place.
The assumption that it is financial has led to the conclusion that it is a technically inept group responsible. 
However, if we assume a technically capable group as the perpetrators (rather than assume financial gain from ransom as the motive) then things potentially look somewhat different. With this new assumption:
·         Could the kill-switch be a deliberate design point to limit the spread of the malware - only disguised as a poorly thought out detection evasion system?
·         Instead of being a technical disaster, is the non-functional payment mechanism a deliberate attempt to damage the ransomware brand?
·         And the sloppy coding technique, is that just deliberate obfuscation of technical skill?
·         Could the choice of an exploit that took advantage of SMB and port 445 suggest that home users were explicitly excluded as a target?
The (welcome) rush to patch was of course also predictable and Microsoft had released a patch a month earlier (so a lot of scheduled upgrades would have taken place by the time the attack hit) and the attack did conveniently avoid year end, quarter end, or month end periods where the capability to implement changes might have been process limited. Microsoft’s ability to produce an XP patch in short order was clearly helpful but surprising given it has been out of support for so long.
It could also be argued that the one thing that wannacry has achieved above all else is raising awareness of the dangers of out of date and unpatched systems and as a result this could easily by the best thing to happen to UK IT infrastructure since we gave up on state support for ICL (if you’re not as old as me then you will have to look them up). Certainly the government’s NCSC seem to think it had value as a communications programme to “make people sit up and take notice...”[3] This must have been a relief, after the time and effort they have spent trying to get the message across both regarding the need for basis patching and the likelihood of a major event.
Once we change the assumption of financial motivation to an assumption of a high level of technical capability then there are completely new possibilities as to motivation and perpetrators.

No comments: